Doug Houser: From Rea & Associates Studio, this is unsuitable. A management and financial services podcast for entrepreneurs, tenured business leaders, and others who are ready to look beyond the suit and tie culture for meaningful, measurable results. I'm Doug Houser, on this weekly podcast, thought leaders and business professionals break down complicated and mundane topics and give you the tips and insight you actually need to grow as a leader while helping your organization to grow and thrive. If you haven't already, hit the subscribe button, so you don't miss future episodes. And if you want access to even more information, show notes, and exclusive content, visit our website at www.reacpa.com/podcast, and sign up for updates. Back in March, we learned a lot about the difference between managed service providers, MSPs versus managed security service providers, MSSPs. Today, Jorn Baxstrom and Shawn Richardson are back to talk about the operational differences between the two and whether the service provider you're currently working with, is focused on helping you hunt problems in your business, or threats. Welcome back to unsuitable Jorn and Shawn.
Shawn Richardson: Thank you.
Jorn Baxstrom: Yeah, thanks for having us.
Doug: So, Jorn I just learned you've got this awesome nickname, called the Network Assassin. I got to find out how'd you get that nickname? Now, come on. Please share. Well,
Jorn: Well, all of Rea Cyber seems to have a nickname of some sort, and Shawn, or Big Rich as he's called, seems to dull out the nicknames pretty-
Shawn: Yeah.
Jorn: Pretty good.
Shawn: Yup. Comes from a military background, you're never called by your first name. You're never called-
Doug: Got it.
Shawn: Yeah, yeah. So-
Doug: All right.
Shawn: That's how you get your nickname.
Doug: So, what would mine be?
Shawn: Probably, the house.
Doug: Yeah, that's what everybody-
Shawn: The house.
Doug: Yeah, the house, yeah.
Shawn: The house.
Doug: That's similar to what the... At least the PC version of what the Clarks call me.
Shawn: Absolutely.
Doug: Well, we'll leave it there, but no, in all seriousness, I appreciate you guys being on because this is such an important topic. And one obviously, we're dealing more and more with. I mean, you see just all this stuff in the news. Every day we've got pipeline and gas supply was held for ransomware and go back to solar winds and the target retail tack number of years ago and all this stuff and it's everywhere. And it's certainly down into, what I would call owner-managed businesses, middle-market businesses, our clients that are 5 million, 25 million, 50 million, 100 million in revenue, they're targets every day and very vulnerable, because they don't necessarily have the systems, processes, procedures, precautions in place. But, a lot of them, we go out and see, I know when I talked to them, they say, "Oh, well, we got this managed service provider, that takes care of stuff for us. And we're fine." Right? You guys probably hear this all the time. So-
Shawn: Yup.
Doug: When you hear that, you probably cringe a little bit. Shawn, where do you start when you hear that? You say, "Gosh, well, okay. But..." Where does that go?
Shawn: So, good question. For us, we really want to learn about who is supporting them, right? And more importantly, we want to understand, are they doing what they say they're going to do? Or, are they simply signing a contract and keeping the lights on and the network connection and computers running and stuff like that. Jorn has been an IT services supporting person, just in his own right, for literally, the last 19, 20 years. And he came over from an acquisition within the last year. And so, he has seen this firsthand. I don't know Jorn, maybe you can add some insights there.
Jorn: Yeah, yeah. So, I came from basically, a managed service provider role for small businesses, IT consulting. And my job was to just keep the lights on, keep the hardware functioning properly, sometimes monitor the performance of the hardware and the network, fix hardware, software issues on servers and computers. That's not enough anymore really, because of the threat landscape and the ever-evolving technology and the threat actors. And we're always at risk, they're always trying to get in. And the MSSP model is there to help prevent those actions by the threat actors.
Doug: So, then you talk about that managed security service provider, that extra 's' in there. They're not just there as a reactive problem solver. You're also being a little more proactive. Correct? Is that right, Jorn?
Jorn: Yeah, very much so. Much more proactive with regard to intrusion prevention, next-generation firewalls, vulnerability scanning, and basically having an eye on the network at all times, because, you had mentioned ransomware earlier. Ransomware quickly changed from clicking on the wrong link and instantly your computer systems are locked up and your server files are gone. And it's now changing to where those threat actors are in your system, waiting, watching your backups, monitoring those backups. And as you're creating those backups, they're there to encrypt them. And so, they're waiting in the background for the perfect time to encrypt everything. And-
Doug: Wow.
Jorn: It's no longer, "I clicked on a link, now my files are encrypted. Okay, pull cold storage, or an offline backup, and let's restore them." Because, if you don't have the monitoring in place, those backups are now encrypted too. So...
Doug: Wow, that's scary.
Jorn: It is.
Doug: So, Shawn, where do then we start with a client, in terms of say, an assessment? Or, what's a typical opening salvo? Or, to try to get somebody where they need to be?
Shawn: Absolutely, yeah. So, we lead with our cyber risk assessment. It's an information security risk assessment. We have a couple of different levels. We have our ignite program. We typically like to lead with that, because what that means, is that the program is all-encompassing. So, the very first phase, is we've established right away that the client doesn't have a framework, or some control framework in place, right? So, we will help them build that. And in phase one, we identify right away the things that are hot, sharp, and dangerous within the environment, and we help them fix them. We don't just hand them a report and say, "Hey, oh, by the way, you've got an open door." And be that conduct unbecoming to us, and oftentimes what happens, is organizations will just hand them a report and say, "Here your problems, fix them."
Doug: Right.
Shawn: And then, they're out, right? And so, what the difference is, is we start to answer your question directly, as we start with identifying those risks right away with a cyber information security risk assessment.
Doug: Got you. And so, how long might that takes for a typical, say, $20 million a year, owner-managed, private business and-
Shawn: Yeah, so it depends on size obviously-
Doug: Yeah.
Shawn: And complexity. But, the average is about eight weeks-
Doug: Okay.
Shawn: And a lot of folks would be like, "Man, that seems like a long time. How's it going to affect my operation? Are we going to have people in there stopping business?" This, that, and the other. And the answer is no. We do it in a way where it's hands-on, we're coming in, we're having conversations with the stakeholders within the business and identifying, how they have their hands into the information systems? How they're connected? How the software interacts with each of the systems? Whether it's a manufacturer, or whether it's a healthcare organization, or what have you. So, typically it's about an eight-week process for an organization of about that size.
Doug: Yeah, and it's pretty reasonable I think, I've found for our clients, we obviously have that in mind, in terms of cost and time just to get that initial assessment and some of those-
Shawn: Of course.
Doug: Remedies put in place, so-
Shawn: Yeah, we had a client yesterday were, just being transparent, we presented the Ignite Program to him, and we later learned that he was a little bit more mature. They were just a little bit mature than we originally thought when we first met with them. And so, I just shared with them, I'm like, "Well, why don't we just do a risk assessment for you? And let's find what open holes are there if there are any? And help you tie that back to a framework and controls." And he's like, Ah, man."
Doug: Yeah.
Shawn: That's what I'm looking for, right?
Doug: Absolutely. Yeah, so it's certainly customized in that sense. So-
Shawn: Yup, absolutely.
Doug: Jorn, getting back to, okay, the managed service provider, MSP versus the managed security service provider. We talked a little bit about, what they are looking for and how they act, but what are the operational differences between those two types of organizations?
Jorn: Yeah. I mean, what I mentioned earlier, the MSP's there to fix things, keep the lights on, fixed hardware, software issues like that. Where MSSP, they're really giving you visibility into your network, visibility into the data that's traversing the network, visibility into the applications, whether good or bad applications that are on that network. And so, for example, one of the tools we use and one of the hardware fighters we'd like to use is Fortinet and they have a thing called the Fortinet Fabric. And what that does, it basically puts a layer over your network. It identifies all devices, all networking devices, everything software-related on the network and gives you that one view basically, of the network security. Which is really critical in today's age and crucial for businesses.
Doug: Oh, absolutely. So, if I'm a typical business out there, how can I tell which one I'm dealing with? Somebody might say, "Well, yes, I'm an MSSP." But, they're really not getting that level of service. Is there a way for me to tell you that?
Jorn: Probably, [inaudible 00:11:44] required to have a conversation with a trusted advisor, I would think. Without calling that out, or any specific type of business, I mean, simply put, it's what's in the contract? What are you providing for us from a coverage perspective? And I'll be Frank, there are some MSPs that do security well. Cybersecurity falls into the IT services realm, right?
Doug: Yeah.
Jorn: Everybody that sees something, say something. Even within this cybersecurity framework, that's a part of that. And so, that being said, an owner rather, or a business, a stakeholder should make sure that, what they say is in the contract that they're doing, is exactly what they're doing. More importantly, are they being proactive? Are they coming to the business and saying, "Hey, look, we see something going on. We want to validate this with you. Can we jump on a call? Or, can we come in and have a conversation with you about..." Versus, something happens, and then they call their help desk-
Doug: Hmm.
Jorn: There's a stark operational difference there, right?
Doug: Yeah.
Jorn: And so, I think, those words of advice and those pointers for business owners, are important.
Doug: Yeah. You got into this a little bit Shawn, but-
Shawn: Right.
Doug: How are those services delivered, in terms of the difference there?
Shawn: Right, so in most cases, both an MSP and an MSSP, a security provider, and a managed service provider have different levels of support, tier one, tier two, tier three. The key differences, again, we're talking about problem management, versus preventative and forward-thinking and actually going out and hunting, is there a potential problem? Simply put though, security organization is primarily focused on indicators of compromise. An event happens within a piece of software and event happens within an email system, or whatever the case may be, or the endpoint protection, those indicators could all tie into something that breaks the network, or that potentially causes harm to the data within the network. We're a data-first organization, so it's always about, what data you have? Where's it going? Who owns it? And so on.
Doug: Absolutely.
Shawn: So, the biggest key difference, is just that. They're looking at how can we prevent something from happening versus, just keeping the lights on and looking. And again, just to be clear, so there's no ambiguity, managed service providers have a form of cybersecurity, in and out of their business. They're required to ensure that they keep up with their security posture as well.
Doug: Yeah, interesting. So, Jorn, what about the difference? And we see this a lot, we still have a lot of clients that, maybe they have their own servers, they're not in the cloud. So, they think, "Well, maybe I'm less vulnerable in that sense because my information isn't out there everywhere." Talk a little bit about maybe, the difference in threat levels, or between MSP and MSSP that you might deal with in a dedicated server environment, versus a cloud environment.
Jorn: Right. So, some people think that "I have everything in-house and I don't put anything out on the cloud. And so, they're not at risk." But, everybody's at risk, everyone's a target. If your network's connected to the internet, you're a target. And you're at risk, because of that. Really, the only way to not be at risk would be to disconnect from the internet and never use portable storage. And it's not functional and not possible in today's age. The threats are ever-evolving faster and faster, just like technology. I mean, everybody knows technology changes almost daily. And-
Doug: Yeah.
Jorn: And so, the threats and the threat actors, they're changing daily too. So, it's more reason to get an MSSP involved. So, you have that insight.
Doug: Yeah, absolutely. And so, unless you're totally off the grid. In reality here, there's only a few of those folks out there, the real doomsday preppers, I guess-
Jorn: Right.
Doug: But-
Jorn: Yeah.
Doug: Well, Shawn, talk a little bit about the cloud then, most folks, either they have moved, or they're thinking about it. So, what does that present to a company, in terms of either A, additional protection, or B, additional risk? And how does that change may be, the relationship I should have with an MSSP?
Shawn: Yeah. So, that's a great question. Simply put, it's all centered around your data and the controls you have around the data. What data is going into this cloud application? Or, maybe it's private cloud, versus public cloud. And so, that's a mouthful. And so, the clear difference, is the public cloud is... An example is Amazon Web Services. And so, that's a public cloud offering. A private cloud offering would be very similar services, but in a lockdown facility offered by a trusted provider, a trusted service provider, that has all of their infrastructures to include all of the backups are mirrored, and there's disaster recovery in play. And that's all hosted in a private area, that has its own, different SOC levels and its own set of levels and controls as well.
Shawn: So, the question then lies is, what do you need to look at as it relates to risk? They all have risks, as it relates to where you're interacting with them? How they're monitored, as it relates to the identities that are accessing them? So, Doug Houser joined up Baxstrom. All the different users that interact with that cloud application, or that cloud instance, that has to have a set of controls around it. And so, really, in essence, it's the same, whether it's on-premise, or in the cloud. There are some [inaudible 00:18:29] to operate a little bit quicker and easier. But, simply put, an organization should still perform some assessment or some analysis on how they're interacting with their cloud applications.
Doug: And Jorn too, I know you've probably had experience with this. If you're doing these types of preventative measures, if you've got an MSSP where they're both threat and problem hunting. You got these proper processes and procedures in place, that's going to help you mitigate not only the risk of some event happening, but I would think it means a lot in terms of insurance and all those things as well, right? Cyber insurance and that type of thing, certainly?
Jorn: Yeah. I've never dealt with the insurance side of it, but I'm sure it would reduce your cost of insurance.
Shawn: Absolutely.
Jorn: If you have cyber insurance, to begin with, some companies don't even have it. And are treading on thin ice, so-
Doug: Yeah, absolutely. Shawn Richardson: And I can elaborate on that. So, more and more today, that even the insurance companies that provide that service, they're expecting their clients even, to provide them with some formal written documentation that shows that they have some controls in place.
Doug: Hmm.
Shawn: Because, they need to understand how much risk they have and they're taking on when they're writing that business, right? And so, in essence, what we're saying there is, it's best that you have those ducks in a row already so that when you go and have a conversation with the cyber insurance organization, you can let them know that, "Hey, look, we've got an organization that comes in and does a risk assessment annually. We have a virtual security officer, that is on staff." Things like that.
Doug: Yeah, that's very important, certainly. Well, I would urge anybody obviously to contact our team, Shawn and Jorn and Ty and the whole team, for nothing else, to come in and do that assessment, to understand where your risks lie and help identify where you can improve. And these things are important, not just for your business today, but as you look for, at some point, a transition of your business, whether it be internal, or third party sale, they're going to want to know these things as they-
Shawn: Absolutely. Doug Houser: Look at that. And the better your process and procedures and understanding of the risks in your business are, the more valuable your business becomes. So, it's really an investment. And these guys know their stuff, believe me. So, Shawn and Jorn, I know you've got additional resources for us. And you recently did a webinar on this topic as well. Can you talk a little bit about that here, before we wrap up? Shawn Richardson: Yeah. So, very similar topic. And frankly, we're just driving home, the importance of establishing a relationship with a trusted advisor, that is going to lead you in a direction, like you just mentioned, that's going to grow your business, right? And it's the investment that you want to take and putting your best foot forward to reduce the risk within your business. One of the modern-day threat mitigation and prevention is risk reduction. Why would you not consider having a conversation with somebody about how we can identify and close the doors that are open for you? So, one of the biggest takeaways that you'll find out of this and also on our webinars, our next step is, how does threat hunting differ for my team, within IT managed services and managed security services? The problem and events that go on, versus actually going out and looking at events that are going on and correlating them to a potential future problem. So, we're excited about that. We'll post the date here in the future, but that's the next step.
Doug: Awesome. Well, it's good stuff. I think it's always important to keep on top of this obviously and make sure that we're protected as best as we can and understand those risks. So, Shawn and Jorn, thank you both. And we'll look forward to having you on again soon.
Jorn: Thank you.
Shawn: Thank you, Doug.
Doug: Absolutely. And if you want more business tips and insight, or to hear previous episodes of unsuitable, visit our podcast page at www.reacpa.com/podcast. And while you're there, sign up for exclusive content and show notes. Thanks for listening to this week's show, be sure to subscribe to unsuitable on Apple Podcast, Google Podcast, or wherever you're listening to us right now, including YouTube. I'm Doug Houser, join us next week for another unsuitable interview with an industry professional.